Chatta subito con l'assistenza
Chat con il supporto

Single Sign-On for Java 3.3.2 - Administration Guide

About this guide Introducing Single Sign-on for Java Preparing for Single Sign-on for Java Deploying Single Sign-on for Java
Getting started with Single Sign-on for Java Single Sign-on for Java and your web applications Setting up logging Controlling access to resources
Security Issues Maintenance and Troubleshooting Appendix: Configuration Parameters Appendix: Using the JKTools

General

Problem:

When connecting to the servlet an Error page is displayed indicating an Internal Server error.

This error is due to either a configuration problem on the server, a misconfiguration of the client browser, or some other internal failure such as an incorrect response returned from a key distribution center. Depending on your application server, a more detailed message may be displayed in the error page, or you may need to look at the application server log files for the root cause. The following causes are noted belo.

Cause 1:

Could not get service ticket for <principal>@<REALM>

This error will be shown in the application server's logs as:

CryptoException: Integrity Check Fail

It is indicative of a keytab that has been created with an incorrect password.

Resolution 1:

To resolve the problem, you should regenerate the keytab using the correct password.

Cause 2:

Error 500: Filter [authFilter]: com.wedgetail.idm.sso.AuthFilter was found, but is missing another required class.

Java 2 Security has been enabled without a suitable policy file.

Resolution 2:

Either disable Java 2 Security or contact us for help building a suitable security policy file.

Cause 3:

[Servlet Error]-[Filter [authFilter]: could not be initialized]: com.dstc.security.kerberos.KerberosException: key type mismatch

This problem only occurs on Microsoft Windows 2003 when a service request is sent in an ENC type that is different from the service ticket returned. It is only a problem with Memory keytabs.

Resolution 3:

One solution is to change the Active Directory user account for the service so that the Use DES Only option is checked. Alternatively, you could use a file keytab.

Active Directory

Problem:

I created a new service principal, but then I received an “Integrity check failure” message.

Cause:

Sometimes Active Directory doesn't set the keys properly for a newly created service principal until you log in to that account once.

Resolution:

Log in as that user, log out and then restart your application server software.

Browsers

Problem:

Single Sign-on for Java returns the following HTTP error response codes:

401 (UNAUTHORIZED) -- request is not authorized

403 (FORBIDDEN) -- access to requested resource is forbidden

500 (INTERNAL SERVER ERROR) -- internal server error.

Cause:

Error responses from Single Sign-on for Java will typically return no content, and display on the client browser as an empty page.

Resolution:

If you want to display different content for such errors, or to take some other action based on such errors, add an <error-page> element to web.xml. For example:

<error-page>

<error-code>401</error-code>

<location>/errors/401.html</location>

</error-page>

Internet Explorer browsers

Problem:

When using Internet Explorer, you are presented with a username and password dialog box rather than being automatically logged in.

Cause:

This occurs when Internet Explorer does not recognize the hostname as being part of the Intranet Zone. You may not have configured Internet Explorer to use Windows Integrated Authentication.

Resolution:

For SPNEGO, check that your Internet Explorer version is 5.5 or greater.

Follow the steps in to ensure that Internet Explorer has been correctly configured to support SPNEGO.

Problem:

The following error is encountered when authenticating against the server: [ERROR]: Provider protocol error: com.wedgetail.idm.spnego.server.SpnegoException: java.lang.SecurityException: Unsupported keysize or algorithm parameters

Cause:

This problem is encountered when using a version of Internet Explorer that does not have the “High Encryption Pack” installed.

Resolution:

There are two work-arounds:

Problem:

Internet Explorer displays DNS error page

Cause:

If the user account is disabled at any time, Kerberos can’t renew credentials for the user.

Problem:

Internet Explorer displays a blank page

Cause 1:

Windows Integrated Authentication is not enabled.

Resolution 1:

See Setting up Internet Explorer for SSO.

Cause 2:

You are going through a proxy that does not support session-based authentication.

Resolution 2:

Disable the proxy in your browser.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione